iCompaas Support

Description:

The Virtual Network Flow Logs in Azure provide detailed information about the flow of traffic within your virtual network. These logs capture data about network traffic to and from your resources, providing visibility into your network's security and traffic patterns. Setting the retention days for these logs ensures that they are stored for a defined period, allowing for later analysis, troubleshooting, and security auditing. Ensuring that the log retention is set to greater than or equal to 90 days allows for adequate time to review and analyze logs for compliance and security purposes.

Rationale:

Setting an adequate retention period for Virtual Network Flow Logs ensures that your organization can retain network traffic data for security analysis, troubleshooting, and auditing purposes. The 90-day retention period aligns with common regulatory and compliance requirements, ensuring that sufficient historical data is available for detecting malicious activity, resolving security incidents, and complying with industry standards (e.g., GDPR, SOC 2).

Impact:

By ensuring that Virtual Network Flow Log retention is set to 90 days or more, your organization improves its ability to monitor and analyze network traffic over an extended period. However, this will increase storage usage, as flow logs will be retained for a longer duration. Organizations must consider storage costs, especially if the flow logs are large or highly verbose. Azure charges for the storage used for logging, so it's essential to balance the retention period with cost considerations.

Default Value:

By default, Virtual Network Flow Log retention is typically set to 30 days. However, this can be manually configured to retain logs for a longer period, such as 90 days or more.

Pre-requisites:

• Azure subscription.
  

• Azure Network Watcher enabled in your region.
  

• A storage account configured for log retention (i.e., to store the flow logs).
  

• Owner, Contributor, or Network Contributor role permissions for configuring Azure Network Watcher settings.
  

Audit:

1. Sign in to the Azure portal as a Global Administrator or Network Contributor.
   

2. Navigate to Azure Network Watcher.
   

3. Verify that Virtual Network Flow Logs retention is set to greater than or equal to 90 days.
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Network Contributor permissions.
     

2. Navigate to Azure Network Watcher:
   

   • In the Azure portal, go to Azure Network Watcher.
     

3. Configure Flow Log Retention:
   

   • Under Network Watcher, select Flow Logs.
     

   • Ensure that Flow Logs are enabled for the desired Network Security Group (NSG) or Virtual Network.
     

   • Select the storage account where flow logs will be stored.
     

4. Set Log Retention Period:
   

   • In the Flow Logs configuration panel, set the retention days to greater than or equal to 90 days.
     

   • If this option is not visible, navigate to Azure Monitor and configure log retention for Network Watcher flow logs from the Log Analytics workspace linked to the storage account.
     

Automate Retention Settings with Azure CLI (Optional): To automate this process using Azure CLI, run the following command:

az network watcher flow-log configure \

    --resource-group <Resource-Group-Name> \

    --network-watcher-name <Network-Watcher-Name> \

    --enabled true \

    --storage-account <Storage-Account-ID> \

    --retention 90

• Replace <Resource-Group-Name>, <Network-Watcher-Name>, and <Storage-Account-ID> with your actual resource group name, network watcher name, and storage account ID.
  

• This will configure flow log retention to 90 days.
  

5. Monitor Flow Logs and Retention:
   

   • After configuring the retention settings, go to Azure Monitor and confirm that flow logs are being stored in the specified storage account.
     

   • Ensure that the logs are being retained for the specified period and that the configuration is applied correctly.
     

6. Test and Verify:
   

   • Verify that Virtual Network Flow Logs are being generated and stored in the storage account.
     

   • Use Azure Monitor to review the flow log data and confirm that logs are being retained for the desired period.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Network Contributor permissions.
     

2. Navigate to Azure Network Watcher:
   

   • Go to Azure Network Watcher.
     

3. Disable Flow Log Retention:
   

   • Under Flow Logs, select the storage account that holds the flow logs.
     

   • Remove or reduce the log retention period as required (e.g., revert back to 30 days or disable the flow log retention).
     

Automate Disabling with Azure CLI (Optional): If you wish to automate disabling the retention or modifying it, you can use the Azure CLI command:

az network watcher flow-log configure \

    --resource-group <Resource-Group-Name> \

    --network-watcher-name <Network-Watcher-Name> \

    --enabled true \

    --storage-account <Storage-Account-ID> \

    --retention <Desired-Retention-Days>

• You can adjust the retention value to whatever is appropriate, such as 30 days or disable retention altogether.
  

4. Verify Log Retention:
   

   • Check that the retention period has been updated, and ensure that logs are not stored beyond the new retention policy.
     

   • Review Azure Monitor to verify that logs are no longer being retained for the extended period.
     

References:

• Configure Flow Logs for NSG in Azure Network Watcher

• Azure Network Watcher - Flow Log Configuration